Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 866233 (CVE-2020-35511) - <media-gfx/pngcheck-3.0.3: global buffer overflow
Summary: <media-gfx/pngcheck-3.0.3: global buffer overflow
Status: IN_PROGRESS
Alias: CVE-2020-35511
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.libpng.org/pub/png/apps/pn...
Whiteboard: B3 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-24 00:01 UTC by John Helmert III
Modified: 2022-12-16 07:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 00:01:21 UTC
CVE-2020-35511:

A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0(5 patches applied) via a crafted png file.

Of course, I have no idea if we're affected or what this even is. I've
asked RedHat for clarification.
Comment 1 Teika kazura 2022-12-16 00:42:24 UTC
This report is obsolete now; we only have 3.0.2 in the portage tree.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-16 07:14:48 UTC
In 3.0.3...
 
  *               UNTESTED, however!
  * 20210131 GRR: released version 3.0.2
  *               ----------------------
+ * 20210416 BB:  fixed a divide-by-zero crash bug (and probable vulnerability)
+ *               in interlaced images with extra compressed data beyond the
+ *               nominal end of the image data (found by "chiba of topsec alpha
+ *               lab")
+ * 20210425 GRR: released version 3.0.3
+ *               ----------------------
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-16 07:15:31 UTC
(In reply to Teika kazura from comment #1)
> This report is obsolete now; we only have 3.0.2 in the portage tree.

The report, due to it being extremely vague, wasn't clear about what - if any - versions were fixed.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-16 07:16:18 UTC
(In reply to Sam James from comment #2)
> In 3.0.3...
>  
>   *               UNTESTED, however!
>   * 20210131 GRR: released version 3.0.2
>   *               ----------------------
> + * 20210416 BB:  fixed a divide-by-zero crash bug (and probable
> vulnerability)
> + *               in interlaced images with extra compressed data beyond the
> + *               nominal end of the image data (found by "chiba of topsec
> alpha
> + *               lab")
> + * 20210425 GRR: released version 3.0.3
> + *               ----------------------

Site has a banner for it:
"""
pngcheck versions 3.0.2 and earlier have a divide-by-zero bug when zlib-decoding interlaced PNGs with extra data beyond what is required for the declared image dimensions. This bug is fixed in version 3.0.3, released on 25 April 2021. Again, while all known vulnerabilities are fixed in this version, the code is quite crufty, so it would be safest to assume there are still some problems hidden in there. As always, use at your own risk. 
"""

I'm going to assume that it was either this or an earlier vuln.
Comment 5 Larry the Git Cow gentoo-dev 2022-12-16 07:18:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34564839cadebb24c14385ce59055d7c5ead97c2

commit 34564839cadebb24c14385ce59055d7c5ead97c2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-16 07:16:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-16 07:16:40 +0000

    media-gfx/pngcheck: add 3.0.3
    
    Bug: https://bugs.gentoo.org/866233
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/pngcheck/Manifest              |  1 +
 media-gfx/pngcheck/pngcheck-3.0.3.ebuild | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)